Legal claims defining the scope of protection, as filed with the USPTO.
1. A server implemented method for analyzing electronic messages for phishing detection, comprising: receiving, by the server, an email message by a recipient/recipient organization from a sender/sender organization; obtaining, by the server, email characteristics by parsing the received email message based on a set of predetermined email characteristics; comparing, by the server, the email characteristics of the received email message with the email characteristics associated with the recipient/recipient organization, and/or the sender/sender organization; declaring, by the server, the received email message by the recipient/recipient organization as a phishing electronic message based on the outcome of the comparison; wherein the email characteristics are selected from the group consisting of network path used to reach a recipient/recipient organization, geography associated with IP address, email client software used by the sender/sender organization, email client software version used by the sender/sender organization, date, day of week, time, time period of the email, time zone of the sender/sender organization, presence and details of digital signatures in the email, meta data present in header portion of the email, character set used in content of the email, format of the email, email length and subject length, character case of the email, character case of the subject, style of introduction at the top of the email, style and content of the sender/sender organization's signature in the body of the email, other recipient/recipient organizations included in the email, to, and copy circulated (cc'd) email addresses, sender/sender organizations name, sender/sender organizations from and reply to email address, senders organization name, senders domain name, sender's organization's Domain Name Service (DNS) settings including SPF records, sender organization's mail server information, including server ip address, sender/sender organization server network path, sender/sender organization email server software and software version. DKIM signature, spam scoring from spam software, message ID, volume of email sent by the sender/sender organization, volume of email sent by sender's organization, volume of email received by the recipient, volume of email received by recipient organization, details associated with URLs or attachments in the email, whether the recipient/recipient organization has responded to this specific email, and number of interactions between sender and recipient associated with the email and the like; and allowing an administrator to select desired email characteristics to be included in the set of characteristics used for comparing the characteristics of the received email message and to assign a weight of how much each characteristic should influence the likelihood that a new message is a phishing message.
2. The method of claim 1 , further comprising: importing emails received by the recipient/recipient organization over a predetermined time interval; obtaining email characteristics of the imported emails by parsing the recipient/recipient organization's received emails based on the set of predetermined email characteristics; and storing the obtained email characteristics associated with the recipient/recipient organization's and the sender/sender organization's received emails in a database.
3. The method of claim 1 , wherein comparing the email characteristics of the received email message with stored email characteristics associated with the recipient/recipient organization and/or the sender/sender organization, comprises: obtaining a statistical distribution of each of the stored email characteristics associated with the recipient/recipient organization and/or sender/sender organization; and comparing the email characteristics of the received email message with the obtained statistical distribution of prior email characteristics associated with the recipient/recipient organization and/or sender/sender organization.
4. The method of claim 3 , further comprising: determining degree of variance of each email characteristic when compared with the associated statistical distribution; establishing a score based on the determined degree of variance for each email characteristic; assigning weights for each established score based on the determined degree of variance; and obtaining a combined score by adding scores of all the email characteristics in the received email based on the assigned weights.
5. The method of claim 1 , further comprising: storing logs of received emails and any associated phishing activity along with details of why the email was determined to be a phishing email; and outputting the logs of the received emails and any associated phishing activity for viewing on a display device.
6. The method of claim 1 , further comprising: quarantining emails determined to be phishing emails; forwarding quarantined emails to certain users; adding certain text to the header or subject of quarantined emails to mark them as suspect; and outputting quarantined emails for viewing on a display device.
7. The method of claim 1 , further comprising: parsing outbound emails sent by the recipient/recipient organization based on a set of predetermined email characteristics to determine if the outbound email is a response or forward of a previously received email by the recipient/recipient organization; updating the database based on the above determination to indicate that the characteristics of the previously received email are more likely to represent a legitimate sender/sender organization; comparing ongoing emails received from the sender/sender organization with stored email characteristics; and declaring any of the ongoing emails received from the sender/sender organizations as phishing based on the outcome of the comparison.
8. The method of claim 1 , further comprising: including visual identifications and reasoning information to the received email based on the outcome of the comparison to assist the recipient/recipient organization of the nature of the received email.
9. The method of claim 1 , further comprising: determining coordinated phishing attacks against an organization by spotting phishing attacks having similar characteristics against multiple users in the organization.
10. The method of claim 1 , further comprising: monitoring changing patterns of outbound emails to determine whether an email client has been compromised and the sender/sender organization is sending a phishing email.
11. The method of claim 1 , further comprising: allowing users to specify an email as a phishing attempt and use the characteristics of this flagged email to filter messages to other users in the organization.
12. A server implemented method for analyzing electronic messages for phishing detection comprising: receiving, by the server, an email message by a recipient/recipient organization from a sender/sender organization; obtaining, by the server, email characteristics by parsing the received email message based on a set of predetermined email characteristics; comparing, by the server the email characteristics of the received email message with the email characteristics associated with the recipient/recipient organization, and/or the sender/sender organization; declaring, by the server, the received email message by the recipient/recipient organization as a phishing electronic message based on the outcome of the comparison; obtaining contact and background information associated with an email recipient/recipient organization from the recipient's/recipient organizations' online social networks; storing the contact and background information in the database; upon receiving an email, determining whether the contact and background information in the received email is correct using the stored contact and background information; and using outcome of determination as a factor in declaring the received email as a phishing email.
13. The method of claim 12 further comprising: importing emails received by the recipient/recipient organization over a predetermined time interval; obtaining email characteristics of the imported emails by parsing the recipient/recipient organization's received emails based on the set of predetermined email characteristics; and storing the obtained email characteristics associated with the recipient/recipient organization's and the sender/sender organization's received emails in a database.
14. The method of claim 12 wherein comparing the email characteristics of the received email message with stored email characteristics associated with the recipient/recipient organization and/or the sender/sender organization, comprises: obtaining a statistical distribution of each of the stored email characteristics associated with the recipient/recipient organization and/or sender/sender organization; and comparing the email characteristics of the received email message with the obtained statistical distribution of prior email characteristics associated with the recipient/recipient organization and/or sender/sender organization.
15. The method of claim 12 further comprising: parsing outbound emails sent by the recipient/recipient organization based on a set of predetermined email characteristics to determine if the outbound email is a response or forward of a previously received email by the recipient/recipient organization; updating the database based on the above determination to indicate that the characteristics of the previously received email are more likely to represent a legitimate sender/sender organization; comparing ongoing emails received from the sender/sender organization with stored email characteristics; and declaring any of the ongoing emails received from the sender/sender organizations as phishing based on the outcome of the comparison.
16. A system for analyzing electronic messages for phishing detection, comprising: one or more recipient's/recipient organization's email servers; one or more sender's email clients; one or more recipient's email clients; Intranet or Internet; a database; and one or more anti-phishing servers coupled to the database, and further the one or more anti-phishing servers coupled to the one or more recipient's/recipient's organization's email servers, the one or more sender's email clients, and/or the one or more recipient's email clients via Internet or Intranet, wherein the email client plugin module attaches to one or more recipient's email clients and wherein the anti-phishing server comprises: a processor; and a memory coupled to the processor, wherein the memory comprising a anti-phishing module, wherein the anti-phishing module comprises an import module, an analysis and data warehouse module, a mail handler module, an organizational analysis module, an outbound mail relay module, a configuration and management module that are configured to: receiving an email message from one or more sender/sender organizations by one or more recipients/recipient's organization via the mail handler module; obtaining email characteristics by parsing the received email message based on a set of predetermined email characteristics by the analysis and data warehouse module; comparing the email characteristics of the received email message with email characteristics associated with the recipient/recipient organization and/or that sender/sender organization by the analysis and data warehouse module; and declaring the received email message by the recipient/recipient organization as a phishing electronic message based on the outcome of the comparison by the analysis and data warehouse module; wherein the email characteristics are selected from the group consisting of network path used to reach a recipient/recipient organization, geography associated with IP address, email client software used by the sender/sender organization, email client software version used by the sender/sender organization, date, day of week, time, time period of the email, time zone of the sender/sender organization, presence and details of digital signatures in the email, meta data present in header portion of the email, character set used in content of the email, format of the email, email length and subject length, character case of the email, character case of the subject, style of introduction at the top of the email, style and content of the sender/sender organization's signature in the body of the email, other recipient/recipient organizations included in the email, to, and copy circulated (cc'd) email addresses, sender/sender organizations name, sender/sender organizations from and reply to email address, senders organization name, senders domain name, sender's organization's Domain Name Service (DNS) settings including SPF records, sender organization's mail server information, including server ip address, sender/sender organization server network path, sender/sender organization email server software and software version, DKIM signature, spam scoring from spam software, message ID, volume of email sent by the sender/sender organization, volume of email sent by sender's organization, volume of email received by the recipient, volume of email received by recipient organization, details associated with URLs or attachments in the email, whether the recipient/recipient organization has responded to this specific email, and number of interactions between sender and recipient associated with the email and the like; and wherein the configuration and management module allows an administrator to select desired email characteristics to be included in the set of characteristics used for comparing the characteristics of the received email message and to assign a weight of how much each characteristic should influence the likelihood that a new message is a phishing message.
17. The system of claim 16 , wherein either the import module or the email client plugin module directly imports emails received by the recipient/recipient organization over a predetermined time interval, wherein the analysis and data warehouse module parses the recipient/recipient organization's received emails based on the set of predetermined email characteristics to obtain email characteristics of the imported emails, and wherein the analysis and data warehouse module stores the obtained email characteristics associated with the recipient/recipient organization's and/or sender/sender organization's received email in the database.
18. The system of claim 16 , wherein the analysis and data warehouse module obtains a statistical distribution of each of the stored email characteristics associated with the recipient/recipient organization and/or the sender/sender organization, and wherein the analysis and data warehouse module compares the email characteristics of the received email message with the obtain statistical distribution of prior email characteristics associated with the recipient/recipient organization and/or sender/sender organization.
19. The system of claim 18 , wherein the analysis and data warehouse module determines degree of variance of each email characteristic when compared with the associated statistical distribution, wherein the analysis and data warehouse module establishes a score based on the determined degree of variance for each email characteristic, wherein the analysis and data warehouse module assigns weights for each established score based on the determined degree of variance, and wherein the analysis and data warehouse module obtains a combined score by adding scores of all the email characteristics in the received email based on the assigned weights.
20. The system of claim 16 , wherein the analysis and data warehouse module stores logs of received emails and any associated phishing activity along with details of why the email was determined to be a phishing email in the database, and wherein the configuration and management module outputs the logs of the received emails and any associated phishing activity for viewing on a display device.
21. The system of claim 16 , wherein the mail handler module quarantines emails determined to be phishing emails, wherein the configuration and management module forwards quarantined emails to certain users, wherein the configuration and management module adds certain text to the header or subject of quarantined emails to mark them as suspect, and wherein the configuration and management module outputs the quarantined emails for viewing on a display device.
22. The system of claim 16 , wherein either the email client plugin module or the outbound mail relay module parses outbound emails sent by the recipient/recipients' organization based on a set of predetermined email characteristics to determine if the outbound email is a response or forward of a previously received email by the recipient/recipient organization, wherein the analysis and data warehouse module updates the database based on the above determination to indicate that the characteristics of the previously received email are more likely to represent a legitimate sender/sender organization, wherein the analysis and data warehouse module compares ongoing emails received from the sender/sender organizations with stored email characteristics, and wherein the analysis and data warehouse module declares any of the ongoing emails received from the sender/sender organizations as phishing based on the outcome of the comparison.
23. The system of claim 16 , wherein the mail handler module along with the email client plugin module includes visual identifications and reasoning information to the received email based on the outcome of the comparison to assist the recipient/recipient organization of the nature of the received email.
24. The system of claim 16 , wherein the analysis and data warehouse module determines coordinated phishing attacks against an organization by spotting phishing attacks having similar characteristics against multiple users in the organization.
25. The system of claim 16 , wherein the organization analysis module monitors changing patterns of outbound emails to determine whether an email client has been compromised and the sender/sender organization is sending a phishing email.
26. The system of claim 16 , wherein either the email client plugin module or the configuration and management module allows users to specify an email as a phishing attempt and use the characteristics of this flagged email to filter messages to other users in the organization.
27. A system for analyzing electronic messages for phishing detection, comprising: one or more recipient's/recipient organization's email servers; one or more sender's email clients: one or more recipient's email clients; Intranet or Internet; a database; and one or more anti-phishing servers coupled to the database, and further the one or more anti-phishing servers coupled to the one or more recipient's/recipient's organization's email servers, the one or more sender's email clients, and/or the one or more recipient's email clients via Internet or Intranet, wherein the email client plugin module attaches to one or more recipient's email clients and wherein the anti-phishing server comprises: a processor; and a memory coupled to the processor, wherein the memory comprising a anti-phishing module, wherein the anti-phishing module comprises an import module, an analysis and data warehouse module, a mail handler module, an organizational analysis module, an outbound mail relay module, a configuration and management module that are configured to: receiving an email message from one or more sender/sender organizations by one or more recipients/recipient's organization via the mail handler module; obtaining email characteristics by parsing the received email message based on a set of predetermined email characteristics by the analysis and data warehouse module; comparing the email characteristics of the received email message with email characteristics associated with the recipient/recipient organization and/or that sender/sender organization by the analysis and data warehouse module; declaring the received email message by the recipient/recipient organization as a phishing electronic message based on the outcome of the comparison by the analysis and data warehouse module; and wherein the email client plugin module along with the configuration and management module obtains contact and background information associated with an email recipient from the recipient's online social networks, wherein analysis and data warehouse module stores the contact and background information in the database, wherein the analysis and data ware house module, upon receiving an email, determines whether the contact and background information in the received email is correct using the stored contact and background information, and wherein analysis and data warehouse module uses the outcome of the above determination as a factor in declaring the received email as phishing email.
28. The system of claim 27 wherein either the import module or the email client plugin module directly imports emails received by the recipient/recipient organization over a predetermined time interval, wherein the analysis and data warehouse module parses the recipient/recipient organization's received emails based on the set of predetermined email characteristics to obtain email characteristics of the imported emails, and wherein the analysis and data warehouse module stores the obtained email characteristics associated with the recipient/recipient organization's and/or sender/sender organization's received email in the database.
29. The system of claim 27 wherein the analysis and data warehouse module obtains a statistical distribution of each of the stored email characteristics associated with the recipient/recipient organization and/or the sender/sender organization, and wherein the analysis and data warehouse module compares the email characteristics of the received email message with the obtain statistical distribution of prior email characteristics associated with the recipient/recipient organization and/or sender/sender organization.
30. The system of claim 27 wherein either the email client plugin module or the outbound mail relay module parses outbound emails sent by the recipient/recipients' organization based on a set of predetermined email characteristics to determine if the outbound email is a response or forward of a previously received email by the recipient/recipient organization, wherein the analysis and data warehouse module updates the database based on the above determination to indicate that the characteristics of the previously received email are more likely to represent a legitimate sender/sender organization, wherein the analysis and data warehouse module compares ongoing emails received from the sender/sender organizations with stored email characteristics, and wherein the analysis and data warehouse module declares any of the ongoing emails received from the sender/sender organizations as phishing based on the outcome of the comparison.
Unknown
October 22, 2013
Browse 5M+ US patents with plain-English claim translations and AI-generated analysis.